CVE-2020-24553
published 2020-09-02CVE-2020-24553: Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
3.65%
88.2th percentile
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.2-1 (bullseye) | golang-1.15 1.15.2-1 (bullseye) |
| fedoraproject | fedora | — | — |
| golang | go | < 1.14.8 | 1.14.8 |
| golang | go | >= 1.15.0 < 1.15.1 | 1.15.1 |
| msrc | azl3_golang_1.23.8-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_golang_1.13.15-2_on_cbl_mariner_1.0 | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_oracle6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pfr3-j9r8-5229: Go before 1
ghsa_unreviewed·2022-05-24
CVE-2020-24553 [MEDIUM] CWE-79 GHSA-pfr3-j9r8-5229: Go before 1
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
OSV
Cross-site scripting in net/http/cgi and net/http/fcgi
osv·2022-01-13
CVE-2020-24553 Cross-site scripting in net/http/cgi and net/http/fcgi
Cross-site scripting in net/http/cgi and net/http/fcgi
When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.
The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.
Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.
OSV
CVE-2020-24553: Go before 1
osv·2020-09-02·CVSS 6.1
CVE-2020-24553 [MEDIUM] CVE-2020-24553: Go before 1
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Oracle
Oracle Oracle Communications Risk Matrix: Signaling (Go) — CVE-2020-24553
vendor_oracle·2021-07-15·CVSS 6.1
CVE-2020-24553 [MEDIUM] Oracle Oracle Communications Risk Matrix: Signaling (Go) — CVE-2020-24553
Oracle Oracle Communications Risk Matrix: Signaling (Go) vulnerability
CVE: CVE-2020-24553
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
Ubuntu
Go vulnerability
vendor_ubuntu·2021-03-08
CVE-2020-24553 Go vulnerability
Title: Go vulnerability
Summary: Go applications could be made to perform XSS attacks.
It was discovered that Go applications incorrectly handled uploaded content. If
a user were tricked into visiting a malicious page, a remote attacker could
exploit this with a crafted file to conduct cross-site scripting (XSS) attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
vendor_msrc·2020-09-08·CVSS 6.1
CVE-2020-24553 [MEDIUM] CWE-79 Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Custo
Red Hat
golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
vendor_redhat·2020-08-01·CVSS 6.1
CVE-2020-24553 [MEDIUM] CWE-79 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". This flaw allows an attacker to exploit this issue in applications using these packages by uploading crafted files, allowing a Cross-site Scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
Statement: Multiple components in the Red Hat OpenShift Container Platform are built with Go
Debian
CVE-2020-24553: golang-1.15 - Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the de...
vendor_debian·2020·CVSS 6.1
CVE-2020-24553 [MEDIUM] CVE-2020-24553: golang-1.15 - Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the de...
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Scope: local
bullseye: resolved (fixed in 1.15.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
bugzilla·2020-09-02·CVSS 6.1
CVE-2020-24553 [MEDIUM] CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
In Go versions prior to 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.
Upstream Reference:
https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs/m/UccMwBPUBAAJ?pli=1
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-all [bug 1874859]
Affects: fedora-all [bug 1874858]
---
External References:
https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs
https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsist
Bugzilla
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [fedora-all]
bugzilla·2020-09-02·CVSS 6.1
CVE-2020-24553 [MEDIUM] CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [fedora-all]
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
Bugzilla
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [epel-all]
bugzilla·2020-09-02·CVSS 6.1
CVE-2020-24553 [MEDIUM] CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [epel-all]
CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.htmlhttp://packetstormsecurity.com/files/159049/Go-CGI-FastCGI-Transport-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2020/Sep/5http://seclists.org/fulldisclosure/2020/Sep/5https://groups.google.com/forum/#%21topic/golang-announce/8wqlSbkLdPshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/https://security.netapp.com/advisory/ntap-20200924-0003/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.redteam-pentesting.de/advisories/rt-sa-2020-004http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.htmlhttp://packetstormsecurity.com/files/159049/Go-CGI-FastCGI-Transport-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2020/Sep/5http://seclists.org/fulldisclosure/2020/Sep/5https://groups.google.com/forum/#%21topic/golang-announce/8wqlSbkLdPshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/https://security.netapp.com/advisory/ntap-20200924-0003/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.redteam-pentesting.de/advisories/rt-sa-2020-004
2020-09-02
Published